knso/Webklar-Kundenbereich
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: knso:29918f2a8ae16f8dbce87f742eb65a340caa22e7
Branches Tags
knso:main
...
compare: knso:3f2572ca59fc106e62856be6e12b2833fa25a19e
Branches Tags
knso:main

2 Commits
29918f2a8a ... 3f2572ca59

Author SHA1 Message Date
KNSO
3f2572ca59 fix 3 2026-05-23 00:36:45 +02:00
root
bd59243e2c Fix Login: Appwrite-Session ohne secret auf dem Server 
session.secret wird ohne API-Key nicht zurückgegeben. Login nutzt
daher session.userId und die Admin Users API statt account.get().

Co-authored-by: Cursor <cursoragent@cursor.com>
 2026-05-22 22:16:31 +00:00
3 changed files with 38 additions and 40 deletions
Expand all files Collapse all files

46
server/routes/auth.js
View File

@@ -2,6 +2,7 @@ import { Router } from 'express'
import { config } from '../config.js' import { config } from '../config.js'
import { import {
getCustomerByAppwriteUserId, getCustomerByAppwriteUserId,
getCustomerByEmail,
getPortalAccessByCustomerId, getPortalAccessByCustomerId,
updateDocument, updateDocument,
} from '../services/appwriteAdmin.js' } from '../services/appwriteAdmin.js'
@@ -28,10 +29,15 @@ function sanitizeCustomer(customer) {
} }
} }
async function validatePortalAccess(appwriteUserId) { async function validatePortalAccess(appwriteUserId, email) {
const customer = await getCustomerByAppwriteUserId(appwriteUserId) let customer = await getCustomerByAppwriteUserId(appwriteUserId)
if (!customer && email) {
customer = await getCustomerByEmail(email)
}
if (!customer) { if (!customer) {
const error = new Error('Kein Kundenkonto für diesen Login gefunden.') const error = new Error(
`Kein Kundenkonto für diesen Login gefunden. Im Ticketsystem customers.appwriteUserId auf "${appwriteUserId}" setzen (E-Mail: ${email}).`
)
error.status = 403 error.status = 403
throw error throw error
} }
@@ -59,23 +65,6 @@ async function validatePortalAccess(appwriteUserId) {
return { customer, portalAccess } return { customer, portalAccess }
} }
const DEBUG_LOG = (location, message, data, hypothesisId) => {
// #region agent log
fetch('http://127.0.0.1:7281/ingest/30e8e71c-b377-4e72-84f9-593826c6d234', {
method: 'POST',
headers: { 'Content-Type': 'application/json', 'X-Debug-Session-Id': '80bbfc' },
body: JSON.stringify({
sessionId: '80bbfc',
location,
message,
data,
hypothesisId,
timestamp: Date.now(),
}),
}).catch(() => {})
// #endregion
}
router.post('/login', async (req, res) => { router.post('/login', async (req, res) => {
const { email, password } = req.body || {} const { email, password } = req.body || {}
if (!email || !password) { if (!email || !password) {
@@ -84,12 +73,7 @@ router.post('/login', async (req, res) => {
try { try {
const user = await loginWithAppwrite(email.trim(), password) const user = await loginWithAppwrite(email.trim(), password)
DEBUG_LOG('auth.js:login', 'appwrite user ok', { userId: user.$id }, 'H3') const { customer, portalAccess } = await validatePortalAccess(user.$id, email.trim())
const { customer, portalAccess } = await validatePortalAccess(user.$id)
DEBUG_LOG('auth.js:login', 'portal validation ok', {
customerId: customer.$id,
portalAccessEnabled: Boolean(customer.portalAccessEnabled),
}, 'H4')
setPortalSession(res, { setPortalSession(res, {
customerId: customer.$id, customerId: customer.$id,
@@ -109,10 +93,12 @@ router.post('/login', async (req, res) => {
return res.json({ success: true, customer: sanitizeCustomer(customer) }) return res.json({ success: true, customer: sanitizeCustomer(customer) })
} catch (err) { } catch (err) {
const status = err.status || 500 const status = err.status || 500
DEBUG_LOG('auth.js:login', 'login failed', { if (err?.message?.includes('not authorized')) {
status, return res.status(500).json({
message: err?.message?.slice(0, 120), error:
}, status === 403 ? 'H4' : status === 401 ? 'H1' : 'H5') 'Server-Konfiguration: APPWRITE_API_KEY benötigt databases.read für woms-database (customers, customerPortalAccess).',
})
}
return res.status(status).json({ error: err.message || 'Anmeldung fehlgeschlagen' }) return res.status(status).json({ error: err.message || 'Anmeldung fehlgeschlagen' })
} }
}) })

10
server/services/appwriteAdmin.js
View File

@@ -95,6 +95,15 @@ export async function getCustomerByAppwriteUserId(appwriteUserId) {
return docs[0] || null return docs[0] || null
} }
export async function getCustomerByEmail(email) {
if (!email) return null
const docs = await listDocuments(config.collections.customers, [
Query.equal('email', email.trim()),
Query.limit(1),
])
return docs[0] || null
}
export async function getPortalAccessByCustomerId(customerId) { export async function getPortalAccessByCustomerId(customerId) {
const docs = await listDocuments(config.collections.customerPortalAccess, [ const docs = await listDocuments(config.collections.customerPortalAccess, [
Query.equal('customerId', customerId), Query.equal('customerId', customerId),
@@ -133,7 +142,6 @@ export async function upsertWebsiteProjectByRepo(repoFullName, data) {
}) })
} }
/** @deprecated Nur für Kompatibilität nutzt native fetch */
export function createAdminClient() { export function createAdminClient() {
return { usesNativeFetch: true, databaseId: WOMS_DATABASE_ID } return { usesNativeFetch: true, databaseId: WOMS_DATABASE_ID }
} }

22
server/services/appwriteClient.js
View File

@@ -56,7 +56,7 @@ async function appwriteFetch(path, { method = 'GET', body } = {}) {
/** /**
* Appwrite Auth per native fetch (Node 26 + node-appwrite-Agent ist inkompatibel). * Appwrite Auth per native fetch (Node 26 + node-appwrite-Agent ist inkompatibel).
* Session.secret wird serverseitig oft nicht zurückgegeben userId aus Session nutzen. * session.secret fehlt serverseitig oft userId aus Session + Users-API.
*/ */
export async function loginWithAppwrite(email, password) { export async function loginWithAppwrite(email, password) {
let session let session
@@ -66,7 +66,6 @@ export async function loginWithAppwrite(email, password) {
body: { email, password }, body: { email, password },
}) })
DEBUG_LOG('appwriteClient.js:session', 'createEmailPasswordSession ok', { DEBUG_LOG('appwriteClient.js:session', 'createEmailPasswordSession ok', {
hasSecret: Boolean(session?.secret),
hasUserId: Boolean(session?.userId), hasUserId: Boolean(session?.userId),
sessionId: session?.$id || null, sessionId: session?.$id || null,
}, 'H6') }, 'H6')
@@ -81,9 +80,6 @@ export async function loginWithAppwrite(email, password) {
} }
if (!session?.userId) { if (!session?.userId) {
DEBUG_LOG('appwriteClient.js:session', 'no userId in session', {
sessionKeys: session ? Object.keys(session).filter((k) => !k.startsWith('provider')) : [],
}, 'H6')
const error = new Error('Appwrite-Session ohne userId.') const error = new Error('Appwrite-Session ohne userId.')
error.status = 500 error.status = 500
throw error throw error
@@ -94,9 +90,17 @@ export async function loginWithAppwrite(email, password) {
user = await getUserById(session.userId) user = await getUserById(session.userId)
DEBUG_LOG('appwriteClient.js:getUser', 'users.get ok', { userId: user?.$id || null }, 'H6') DEBUG_LOG('appwriteClient.js:getUser', 'users.get ok', { userId: user?.$id || null }, 'H6')
} catch (err) { } catch (err) {
DEBUG_LOG('appwriteClient.js:getUser', 'users.get fail, fallback', { DEBUG_LOG('appwriteClient.js:getUser', 'users.get fail', {
message: err?.message?.slice(0, 80), message: err?.message?.slice(0, 120),
}, 'H6') code: err?.code,
}, 'H7')
if (err?.message?.includes('not authorized')) {
const error = new Error(
'Server-API-Key: Scope users.read erforderlich (Appwrite Console).'
)
error.status = 500
throw error
}
user = { $id: session.userId, email, name: '' } user = { $id: session.userId, email, name: '' }
} }
@@ -104,7 +108,7 @@ export async function loginWithAppwrite(email, password) {
try { try {
await deleteUserSession(session.userId, session.$id) await deleteUserSession(session.userId, session.$id)
} catch { } catch {
// Portal nutzt eigene Session; Appwrite-Session optional aufräumen // Portal nutzt eigene Cookie-Session
} }
} }